In this article, I will share how did I found reflected XSS on my target( redacted.com )
The program was an Rdp and they does not allow disclosure.As the target does not provide payments or gifts in exchange, now its time for hall of fame!!!.
Most commonly i use subfinder tool + httpx to enumerate subdomains.I got a subdomain “sub.redacted.com” , visited and found a search bar. So i tried my payload : <script>alert(1)</script> to see the response.
hell!!! cloudflare blocked me!
Almost every tags are got blocked by cloudflare except <svg>. So i quick search on google to find any svg attack vector to bypass and finally found a tweet:
payload: <svg onload=alert%26%230000000040"1')>
bypassed!!!… sub.redacted.com alerted “1”
This is how,I bypassed Cloudflare WAF and found reflected XSS!!